Tech pundits have been warning that IoT devices are low-hanging fruit just waiting to be plundered by cybercriminals. The Dyn DDoS attack on October 21, 2016 indicates the pundits' predictions are now fact.

"The annual review: Findings of the International Privacy Sweep 2016 found that many companies [involved with IoT systems] failed to explain to users how their personal data is collected, stored, and safeguarded via devices that boast internet connectivity," mention the Mason, Hayes, and Curran authors. "GPEN found that companies demonstrating good privacy communication practices were in the minority."

To determine the lack of privacy, GPEN researchers worked with 25 of the Data-Protection Authorities based in 39 jurisdictions around the world—including most EU countries and the US—to inspect over 300 IoT devices, focusing on what the IoT-device manufacturers communicated to their customers regarding the customer data collected and the amount of privacy being guaranteed. The Mason, Hayes, and Curran post adds, "The aim of the review was to increase awareness of best practices and to encourage compliance with privacy legislation."

John Rogers, senior investigations officer at the Office of the Data Protection Commissioner in Ireland, who coordinated the Irish privacy sweep which inspected nine devices, ranging from smart electricity meters to fitness trackers mentions, "There can be no doubt as to the benefits of modern technology in our everyday lives, but the introduction of this technology must be done in a clear and transparent manner and not adversely impact privacy rights."

"The findings of our sweep show that much more needs to be done to meet data protection standards," adds Rogers. "Companies making these devices must make it clear to consumers about how their personal information is being collected, used, and how consumers may delete their information if they wish."

The Mason, Hayes, and Curran blog post points out that officials from the DPAs involved in the sweep are reviewing their options going forward, which include:

possible legal action against developers and suppliers who have been breaking laws, and

identified concerns may result in enforcement action.

So not only are IoT devices vulnerable to malicious attacks, the device manufacturers seem to be ignoring privacy concerns.

Advice for IoT device developers

The Mason, Hayes, and Curran authors point out regulatory bodies are increasing their focus on the principles of data protection by design and default, particularly in cases where large amounts of personal data are collected or used. They then suggest that IoT developers and manufacturers should:

be transparent about how personal data is collected, used, and disclosed;

implement privacy policies and just-in-time notices to inform users and other individuals; and

design, optimize, and adopt internal data protection policies and practices in line with these principles.

"Right now there is a poor understanding of how the Internet of Things will be paid for, and in the short term companies are attempting to fill the gap using the business model they're most comfortable with..."

And the business model Allan refers to is the one in which user data—likely considered private—is being sold.

For more IT security news, analysis, and tips, subscribe to our Cybersecurity Insider newsletter.